HIPAA Compliance: Not a “One-and-Done” Endeavor

21 Jan HIPAA Compliance: Not a “One-and-Done” Endeavor

We’re facing a new year in the age of HIPAA Compliance. If any MSP thinks, however, that governing bodies like the Office for Civil Rights (OCR) will reduce the amount of HIPAA penalties to be levied in the future, that’s simply wishful thinking. Judging by the totals from 2018, violation settlements are a persistent phenomenon, creating a strong argument for ongoing network assessments.

Although a record high number of HIPAA settlements transpired in 2016, settlements in 2017 and 2018 were not far behind that rate of infraction.

Some examples of expensive 2018 settlements:

The medical record storage firm Filefax, Inc. sustained a $100,000 penalty early in 2018

Fresenius Medical Care North America was subject to a $3,500,000 fine

EmblemHealth was fined $575,000 in March of 2018 by the New York Attorney General’s Office

Aetna was fined $1,150,000 in January for a breach that occurred in July of 2017

And in late 2018, Anthem Inc.’s infamous multi-million dollar violation case – one of the most costly in HIPAA’s history — was settled for $16,000,000.

This year did not surpass 2016 in the number of financial penalties levelled. However, it was marked by a record-breaking totalamount of penalties. The OCR levied $25,683,400 in fines over the course of the year for HIPAA violations, with the mean penalty being more than $2.5 million.

According to The HIPAA Journal, “HIPAA enforcement is likely to continue to see financial penalties issued for common HIPAA violations such as the failure to conduct regular risk assessments.” As such statements show, ongoing risk assessments are not just recommended, they’re required. And for good reason.

The typical MSP customer base will continue to be vulnerable as long as the OCR and other government agencies continue to conduct audits. This is why RapidFire Tools has always advocated for ongoing network risk assessments. HIPAA compliance is never a “one-and-done” proposition. It requires an evolving, long-term commitment on the part of any company that has exposure to electronic patient data. And recall that “covered entities,” or companies that can be subject to HIPAA fines, include any business associate that may have access to an IT network of a healthcare company maintaining these records.

We understand that the scope of such an opportunity is tremendous. Yet the task of maintaining the detailed documentation required for a company to defend itself against a HIPAA compliance audit is daunting and prohibitive.

That’s why we’ve made it part of our mission to automate the process. RapidFire Tools’ Audit Guru for HIPAA Compliance provides a step-by-step framework to help MSPs more easily conduct HIPAA audit and compliance services. It removes the guesswork from compliance-as-a-service by automating the production of mandatory HIPAA reporting documentation.

Not only do such recurring assessments provide insights that can indicate a breach, they prove that the end-customer has taken significant steps to remain diligent in its compliance efforts. Such evidence is crucial in reducing the penalties in the instance of an audit, since the organization in question has tried to avoid data compromise.

But ongoing assessment is key here.

The OCR will not let up when it comes to unearthing HIPAA violations and enacting budget-breaking, devastating penalties. It’s up to you—and your clientele—to make HIPAA risk assessments a continuous effort. And as a savvy MSP, the more you can take advantage of sophisticated tools to help you automate the process and immerse your clients in a culture of compliance, the more easily you can manage a profitable HIPAA compliance practice across a multitude of customers—mitigating untold risks in the process.